North Carolina-based Autonomic Resources last week became the only firm to complete a new security review process for all federal cloud products and services.
The Federal Risk and Authorization Management Program (FedRAMP) was launched in June to standardize security reviews of commercial cloud products. The program is housed within the General Services Administration.
As part of FedRAMP, a joint board of chief information officers from the Homeland Security and Defense departments and GSA reviewed Autonomic’s cloud offering and whether it met federal security standards. The company had to verify that it met some 300 security requirements, including proof that its systems operators, who have access to systems that provide government services, use two-factor authentication. This requires users to provide two forms of evidence to verify who they are before accessing the systems.
Autonomic is the first cloud vendor to receive a so-called provisional authority to operate (ATO) from the joint board of CIOs. The provisional ATO proves a vendor’s cloud services not only meet federal baseline standards, but also are secure enough for use by DHS, DOD and GSA.
The provisional ATOs are expected to speed adoption of cloud services throughout government because other agencies can accept the FedRAMP reviews and assess only their unique security requirements, as opposed to starting from scratch. “By using FedRAMP and eliminating redundant security assessments, agencies can save an estimated $200,000 per authorization,” GSA’s Dave McClure said in a statement.
By now, the administration had hoped to complete at least three FedRAMP reviews. In September, McClure said one challenge is that many vendors don’t understand federal security requirements.
The joint board expects to issue additional ATOs early this year, according to GSA.
By June 2014, all cloud services and products in use at federal agencies or in an active acquisition process must meet FedRAMP requirements. Agencies can use FedRAMP guidelines to vet the security of their own contractors, or wait for FedRAMP reviews to be completed.
The General Services Administration has awarded contracts to 43 small businesses for tablet computers, mobile devices and other common information technology products and services, the agency announced Thursday.
The blanket purchase agreements were awarded through GSA’s National Information Technology Commodity Program and are available to federal, state and local agencies. GSA’s Office of Integrated Technology Services launched the program last year in an effort to procure IT commodities and supplement services for government agencies. The contracts will provide agencies with deeper discounts than those offered on GSA’s Multiple Award Schedules, according to an agency new release.
Other products offered on the contracts include monitors, video teleconference equipment, laptops, desktops, netbooks and data center equipment. Vendors will be able to add new products to the contracts within 24 hours, GSA said.
The General Services Administration has launched an online dashboard to provide agencies and industry with greater access to its contract spending data for planning and budgeting purposes.
The Governmentwide Acquisition Contract (GWAC) Dashboards aggregate non-classified data on federal information technology spending from 2004 to present through GSA’s five GWACs: 8(a) STARS, 8(a) STARS II, Alliant, Alliant Small Business and VETS contracts, GSA announced on Tuesday.
“This tool is especially valuable to small businesses as it provides access to business intelligence they can use to assess market opportunity, decide how best to allocate resources, and identify potential teaming partners for future projects,” GSA Federal Acquisition Service Acting Commissioner Mary Davie, said in a statement.
The dashboard is updated daily and can also help agencies monitor their use of GSA GWACs. It allows users to create customized reports with contracting data sorted by year, contract, federal agency or company.
For example, a quick search of spending data by fiscal year showed that total obligated sales on GSA’s governmentwide contracts has exceeded $218 million, with Alliant sales accounting for nearly half that number.
The website, however, has a disclaimer: “The data contained within may not be fully accurate.”
As Congress and the administration grapple with how best to cut the federal deficit, a group of industry and government leaders are suggesting that information technology be used to reduce that number by billions of dollars.
The American Council for Technology and Industry Advisory Council’s (ACT-IAC) Institute for Innovation on Tuesday released recommendations for the Obama administration to cut the deficit by $220 billion annually through increased use of data analytics and industry best practices. ACT-IAC is public-private partnership focused on helping government use technology to serve the public.
More than 100 volunteers from government and industry provided input for ACT-IAC’s first Quadrennial Government Technology Review, a series of reports detailing how IT can be used to solve the nation’s most challenging issues such as rising healthcare costs, citizen services and a lack of qualified workers for science and technology-related jobs.
Here’s a very high-level explanation from ACT-IAC on how it arrived at $220 billion in annual savings:
- $70 billion by using big data analytics creatively in the federal healthcare space, based on numbers from the McKinsey Global Institute. McKinsey estimates that the nation’s healthcare sector could save $300 billion anually through big data, and $70 billion is the federal sector.
- $50 billion by using enhanced IT tools to better share, access and analyze data to reduce improper payments and uncollected taxes. In the report, ACT-IAC backs this claim using IRS reports that the amount of uncollected taxes is $385 billion and improper payments made by the federal government total more than $100 billion a year. The group suggests that IT tools could reduce the overall number by 10 percent.
- $100 billion by investing in technology to increase productivity and reduce costs, based on industry best practices. These savings are a fraction of the total $970 billion that government could save over 10 years by adopting industry best practices identified in the report.
|Streamline Government Supply Chain||$500B|
|Monetize Government Assets||$150B|
|Reduce Field Operations/Self Serve||$50B|
|Shared Mission Support||$50B|
|Reduce Energy Usage||$20B|
The Veterans Affairs Department has awarded HP Enterprise Services a $36 million contract to move 600,000 email accounts to the cloud.
Under the five-year contract, VA users will have access to email and shared calendars using Microsoft Office 365 for Government. Users, however, will not have access to additional features such as instant messaging and web and video conferencing.
“VA is moving to cloud-based email and collaboration as part of a broader effort to leverage emerging technologies to reduce costs, increase efficiencies and, most importantly, improve service delivery to our nation’s veterans,” Charles De Sanno, executive director for enterprise systems engineering at the VA, said in a news release.
The HP contract was awarded under VA’s Veterans Administration Transformation Twenty-One Total Technology, or T4 program.
The administration’s cloud first mandate requires agencies to first consider a cloud solution when procuring information technology. In addition to VA, Agriculture Department, Federal Aviation Administration, Defense Information Systems Agency and the Environmental Protection Agency are using Microsoft’s cloud-based email.
The Department of Homeland Security is following through on recommendations to hire at least 600 cybersecurity experts, DHS Secretary Janet Napolitano said Wednesday.
Speaking at a Washington Post cybersecurity forum, Napolitano said the department is looking to hire cyber experts, analysts, IT specialists and people who are familiar with coding.
In June, DHS Secretary Janet Napolitano directed a newly formed CyberSkills task force to develop recommendations for growing DHS’s cyber workforce and expanding the pipeline of cyber talent nationwide, which includes hiring at least 600 cyber professionals.
Napolitano said DHS has increased its workforce by 600 percent over the last few years, and she praised President Obama’s budgetary backing of the department’s cybersecurity efforts.
However, similiar efforts have been underway for the past few years to hire cyber professionals, James Lewis, senior fellow and program director at the Center for Strategic and International Studies, said on a separate panel. “So, what’s going on?”
One issue, the report identified, is that DHS has not properly identified the skills needed to defend against threats, making it difficult to hire people with those skills. To keep pace with the growing threat, DHS has relied heavily on contractors, “leaving fewer of these sought-after positions open to federal employees,” the report said.
“We’ve probably gone from about five miles an hour to 85 miles an hour at DHS in the last three or so years,” Napolitano said. ”We need to be at 120 miles an hour, and I would say that across the federal government.”
Napolitano wouldn’t discuss the starting salaries of DHS cyber experts but joked that there are not signing bonuses.
Overall, she said the government needs to improve real-time information sharing with the private sector and there needs to be better widespread adoption of cybersecurity best practices for critical infrastructure. She said most sectors have adopted adequate cyber practices, but in an interconnected world if there is one weak link everyone is affected.
Tags: Janet Napolitano
Federal agencies expect to save $2.5 billion over the next three years by consolidating duplicative information technology systems, buying in bulk and eliminating failing IT projects.
Those savings were identified using a new approach – called PortfolioStat - where agency officials review their spending for common IT resources such as email and desktop computers in search of duplicative investments and opportunities to consolidate projects, Acting Office of Management and Budget Director Jeffrey Zients said in a blog post Wednesday.
OMB officials met with agencies’ senior executives, including the chief information officer, financial officer, acquisition officer and operating officer this summer. OMB used data collected for these meetings to show agencies where their spending plans have gaps and weaknesses, how to address them, and how to develop long-term plans to consolidate IT spending and share services within agencies and across government over the next three years.
Based on the analysis with OMB, agencies created PortfolioStat plans, that were reviewed in follow-up sessions with the agency’s deputy secretary and the federal chief information officer, Zients said.
“Agencies identified 98 opportunities to consolidate or eliminate commodity IT areas, ranging from the consolidation of multiple email systems across an agency to the reduction of duplicative mobile or desktop contracts,” Zients said. OMB has not publicly released a list of those opportunities.
Projected savings include:
- $376 million over three years at the Department of Homeland Security by purchasing IT infrastructure in bulk.
- $59 million at the Social Security Administration by using a new program to buy computers in bulk.
- $90.3 million at the Treasury Department by consolidating key financial management systems.
While the Transportation Security Administration has made headway in defending against insider attacks, the agency lacks specific policies and procedures to mitigate those threats, according to a recent inspector general audit.
The September audit, released this week, found that TSA has not implemented insider threat policies and procedures that clearly explain its employees’ role in defending against insider threats. TSA also lacks a risk mitigation plan that ensures all employees address the risks of insider threats in a consistent way.
TSA defines insider threat as “one or more individuals with access or insider knowledge that allows them to exploit the vulnerabilities of the nation’s transportation systems with the intent to cause harm,” according to the Department of Homeland Security IG audit. Threats can include spying, release of information, sabotage, corruption, impersonation, theft, smuggling, and terrorist attacks. Insider threats can include current and former employees and contractors.
The report noted that TSA doesn’t have a mandatory insider threat training and awareness program for employees, and it lacks protective measures to ensure unauthorized employees can’t, for instance, dump massive amounts of sensitive data onto a portable storage device.
The IG recommends that TSA’s assistant administrator for information technology:
- Further develop TSA’s insider threat program by including policies, procedures and a risk management plan.
- Require insider threat awareness training for employees.
- Direct systems administrators to disable USB ports on computers and laptops if there is not a legitimate need for them.
- Limit the size of email file attachments until the proper measures are in place to detect or prevent unauthorized exfiltration of sensitive information.
However, TSA said it has developed a directive, currently awaiting approval, that identifies polices and procedures for its insider threat program. The agency stood up a toll free hotline and email address for reporting insider threats and also plans to roll out an insider threat training and awareness program.
The agency said disabling USB ports isn’t feasible but, instead, has an application in place to alert the agency when data is transferred outside DHS networks. TSA also disagreed with any restrictions on email file sizes.
Further discussions between the agency and the IG are required to hash out differing opinions.
In June, Reps. Bennie Thompson, D-Miss, and Sheila Jackson Lee, D-Texas, questioned TSA’s plans to purchase software that monitors employees’ keystrokes, emails and other online activities as part of a larger effort to defend against internal attacks.
In a response letter, TSA Administrator John Pistole said the software would provide TSA with forensic evidence for investigations should an employee ever be identified as a potential insider threat to TSA’s mission.
In an Oct. 3 response letter to the IG audit, the lawmakers requested a detailed description of TSA’s current spending related to the insider threat, an estimate of the anticipated lifecycle cost of the monitoring software the agency plans to buy, when TSA will have policies, procedures and a risk management plan and other information by Oct. 17.
The Government Accountability Office on Monday denied a protest against Lockheed Martin’s $4.6 billion contract award to support the Pentagon’s global data network.
In its June protest to GAO, Science Applications International Corp. claimed that the Defense Information Systems Agency unreasonably evaluated Lockheed’s technical risk and costs, according to GAO. SAIC also said that DISA failed to meaningfully investigate whether Lockheed had unequal access to information pertaining to the contract, which would have been an organizational conflict of interest (OCI).
GAO determined that DISA’s evaluation of Lockheed’s proposal was “reasonable and consistent with [the] solicitation’s evaluation criteria,” Ralph White, GAO’s managing associate general counsel for procurement law, said in a statement. “GAO also concluded that the agency reasonably investigated Lockheed’s alleged OCI.”
Lawyers from both sides are working to release a public version of the decision.
“Lockheed Martin submitted an affordable and innovative solution, and we regard this as an opportunity to coordinate with DISA to improve the speed and efficiency of information exchange between our joint warfighters around the world as well as their commanders and allies,” Gerry Fasano, president of Lockheed Martin Information Systems & Global Solutions- Defense, said in a statement. “We have remained transition-ready throughout the protest period and look forward to beginning work on this critical mission.”
Lockheed Martin Corp. beat out incumbent SAIC to provide daily operations and sustainment of the Defense Department’s global data network. The contract has a ceiling of $4.6 billion over seven years — three base years and two two-year option years.
Several agencies have partnered to launch an online system for streamlining Freedom of Information Act requests.
The website, Foiaonline.regulations.gov, allows the public to submit FOIA requests, file appeals, search through requests from others and access previously released documents, the National Archives and Records Administration announced Monday.
NARA is partnering with the Commerce Department and Environmental Protection Agency to develop the website, which was built on the same infrastructure as EPA’s Regulations.gov website.
“FOIAonline avoided many start-up costs, resulting in a total of $1.3 million to launch and an estimated cost avoidance of $200 million over the next five years if broadly adopted,” NARA said.
So far, the Treasury Department, the Federal Labor Relations Authority, and the Merit Systems Protection Board, have agreed to use the new FOIA portal. Agencies will be able to receive and store requests, assign and process requests, post responses, manage records electronically and more.
The website will also allow agencies to collaborate on FOIA requests and automate certain request tasks, according to OMB Watch, a government watchdog group. ”This should help speed up processing and bring down the number of backlogged FOIA requests,” the group said.
The federal government had a backlog of 83,490 requests in fiscal 2011, up from 69,526 in fiscal 2010, according to FOIA.gov.
For now, users of the new FOIA website will not be able to track the progress of their FOIA request or communicate with the agency processing a request. Don’t be surprised if you can’t view details of the FOIA requests but, instead, get a message saying the description of this request is under agency review.